NIOS uses SAML (Security Assertion Markup Language) 2.0 authentication support for Single-Sign-On in NIOS. SAML provides a standard vendor-independent grammar and protocol for transferring information about a user from one web server to another independent of the server DNS domains. SAML enables IT administrators to  manage user access rights in a single place. By enabling SAML, user management is delegated to an external application, thus relieving IT administrators the complexity of maintaining user accounts in all the applications (also known as Service Providers) being used by the organization. Instead, IT administrators need to maintain one account in the Identity Provider (IdP) which can be used across Service Providers (SPs). IdP is the application server that maintains the user accounts of the entire organization. IT administrators can manage users access rights at one place. User can login to the IdP directly and once logged in, they can be traverse towards the required SP without being prompted for the user ID and password. SAML helps NIOS delegate Identity Management to a third-party SSO application (IdP) and thereby eases administrative efforts.

SAML Login Use Cases

The following is a list of use cases and the outcome of NIOS users trying attempting to log in when using SAML authentication and when not using SAML using SAML authentication:

• If SAML is enabled and users have already logged in to the IdP account and the corresponding user account is present in NIOS, users can directly start using Grid Manager without logging in to NIOS.

• If a user has logged in to the IdP account and the corresponding IdP account is not present in NIOS, if the Auto Create User checkbox is selected, the user can directly start using Grid Manager without logging in to NIOS. For information about the Auto Create User checkbox, see Auto Creating SAML Users in NIOS.

• If a NIOS user who is not SAML-authorized tries to log in to NIOS using the SSO Login button, the login fails. However, the user can log in using the Login button.

...

• When adding the NIOS application in IdP,  specify the Grid Manager URL in the https://<Grid Manager IP address>:8765/?acs format. This is referred to as the Assertion Consumer Service URL or ACS URL.  The 8765 port is opened for SAML services.

• After you add NIOS to the IdP, either copy the metadata or the metadata URL or specify it in the SAML configuration screen.

• Ports 443 (HTTPS) and 80 (HTTP) must be allowed on the firewall to allow NIOS to communicate with IdP. 

• Ensure that the group that you specify in the IdP also exists in NIOS with the same users as that in the IdP. If you did not specify a group attribute in IdP, SAML authenticated users are added to the default SAML group: saml-group.

• SAML authentication in NIOS requires configuring an Identity Provider (IdP) for authentication. Infoblox-verified named IdPs are listed in the IDP Type drop-down list. The IDP Type drop-down list also contains the Others option for users who wish to configure an IdP that is not listed.  Due to the lack of compliance to SAML standards and widely varying IdP vendor implementations, Infoblox is unable to provide configuration support if you select the Others option. Infoblox recommends that you contact the IdP vendor for support if you use this option.

...

Authenticating SAML Users

When you create administrators, you can authenticate them either as a SAML-only administrator or as a SAML/local administrator. Depending on the authentication type, administrators can log in using either the SSO Login button or the Login button. For more information see Creating Local Admins.